← Back

Privacy Policy

Last updated: 2 March 2026

1. Who we are

Armchair Commentator is operated by Glitchless, s.p., a sole proprietorship registered in Slovenia, EU. Throughout this policy, "we", "us", and "our" refer to Glitchless, s.p.

For any privacy-related questions you can reach us at [email protected].

2. What data we collect

2.1 Account data

When you create an account we store:

  • Email address — used as your login identifier and for transactional emails (e.g. email verification, password reset).
  • Display name — optional, chosen by you.
  • Avatar URL — if you sign in with a third-party provider (Google, GitHub, Apple), we may store the profile picture URL they provide.
  • Hashed password — only if you register with email & password. We never store plain-text passwords.
  • Authentication provider & provider ID — the OAuth provider you used (Apple, Google, or GitHub) and the unique identifier they assign to your account.
  • Account timestamps — when your account was created, last updated, and last login.

2.2 Activity data

While you use the service we store:

  • Predictions — your answers to prediction questions (e.g. grid order, yes/no picks), together with submission timestamps.
  • Scores — calculated points per event, including a per-question breakdown.
  • Group memberships — which groups you belong to, your role (admin or member), and when you joined.

2.3 Technical & security data

  • JWT tokens — short-lived access tokens (30 min) and rotating refresh tokens (7 days) used for API authentication, stored in your browser's localStorage.
  • Session & CSRF cookies — standard Django security cookies. In production these are set to Secure and transmitted only over HTTPS.
  • Theme preference — your chosen UI theme (light / dark / system), stored in localStorage. This is not personal data.

3. How we use your data

We process your personal data exclusively for the following purposes:

  • Providing and operating the Armchair Commentator service.
  • Authenticating you and keeping your account secure.
  • Sending transactional emails (verification, password reset).
  • Calculating scores, generating leaderboards, and displaying group standings.
  • Complying with legal obligations.

We do not use your data for advertising, profiling, or automated decision-making.

4. Legal basis for processing (GDPR Art. 6)

  • Contract performance (Art. 6(1)(b)) — processing your account and activity data is necessary to provide the service you signed up for.
  • Legitimate interest (Art. 6(1)(f)) — security measures (tokens, CSRF protection, IP handling via Cloudflare) to protect the service and its users.
  • Legal obligation (Art. 6(1)(c)) — where we are required to retain data by applicable law.

5. Third-party services

We share personal data with third parties only to the extent necessary to operate the service:

ServicePurposeData shared
Apple Sign InAuthenticationOAuth code/token exchange
Google OAuthAuthenticationOAuth code/token exchange
GitHub OAuthAuthenticationOAuth code/token exchange
CloudflareCDN & security proxyIP address (via CF-Connecting-IP header)
SMTP email providerTransactional emailRecipient email address, email content

Some of these providers (Apple, Google, GitHub, Cloudflare) are based in the United States. Transfers to the US are covered by adequacy decisions or Standard Contractual Clauses (SCCs) as applicable under GDPR.

6. Analytics & tracking

We do not use any third-party analytics, tracking pixels, or advertising scripts. We do not use Google Analytics, Meta Pixel, or similar services. No data is shared with advertisers.

7. Data retention

We retain your personal data for as long as your account is active. If you delete your account, we will erase your personal data within 30 days, except where we are legally required to retain certain records.

JWT access tokens expire after 30 minutes. Refresh tokens expire after 7 days and are rotated on each use. Email verification and password reset tokens expire after 24 hours.

8. Your rights under GDPR

As an EU/EEA resident you have the right to:

  • Access — request a copy of the personal data we hold about you.
  • Rectification — correct inaccurate or incomplete data.
  • Erasure ("right to be forgotten") — request deletion of your personal data.
  • Restriction — request that we limit how we process your data.
  • Data portability — receive your data in a structured, commonly used, machine-readable format.
  • Object — object to processing based on legitimate interest.
  • Withdraw consent — where processing is based on consent, you may withdraw it at any time.

To exercise any of these rights, email us at [email protected]. We will respond within 30 days.

You also have the right to lodge a complaint with the Information Commissioner of the Republic of Slovenia (Informacijski pooblaščenec): www.ip-rs.si.

9. Cookies

We use only strictly necessary cookies:

  • sessionid — Django session cookie (used for admin panel).
  • csrftoken — Cross-Site Request Forgery protection token.

These cookies are essential for the secure operation of the service and do not require consent under GDPR/ePrivacy. We do not use any analytics, advertising, or tracking cookies.

10. Security

We take reasonable technical and organisational measures to protect your data, including HTTPS-only transmission, secure cookie flags, hashed passwords, rotating JWT tokens, and CSRF protection. However, no system is 100% secure and we cannot guarantee absolute security.

11. Children

Armchair Commentator is not directed at children under 16. We do not knowingly collect personal data from children under 16. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

12. Changes to this policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify registered users by email. The "Last updated" date at the top reflects the most recent revision.